Every Application Adds Risk

Everything you download adds risk. Be safer using my three guidelines.

In a previous article, I discussed the fundamental nature of our computer’s operating system: its absolute power to see, and potentially expose, anything we do. We frequently assume, often without actually thinking about it, that the OS is trustworthy.

That may or may not be true.

When it comes to the operating system, our options are limited. There’s really no choice: in order to use our device, we must use an operating system of some sort.

When it comes to the applications we install on our computers, we have both more choice and more risk.

Every application adds direct risk

Every application you download and install on your computer – be it your desktop, laptop, tablet, or phone – is an opportunity for your security and privacy to be compromised.

We regularly give applications much broader permissions to operate on our information than they need. In Windows, most programs can read any file, whether they need to or not. For example, that desktop chess game you just downloaded has complete access to the financial spreadsheets stored elsewhere on your computer.

On the other end of the spectrum, some operating systems allow us to control permissions at a per-application level. For example, when installing an app on an Android-based device, you’ll often be presented with a list of things to which the new application requires access.

If we want the application at all, we must grant it all the permissions it requests. And that’s exactly what most people, including myself, do: zip through the list of permissions requested as if it was a license agreement, and accept it all, without reading or considering.

Any application we install could be malicious. It could be explicitly malicious – meaning malware – or it could be less obviously malicious, sharing more information with third parties than we realize, violating our assumptions of privacy.

As we’ll see in a moment, as long as we take appropriate care, we can be relatively safe – but the possibility exists.

Every application adds indirect risk

Even the best-intentioned application includes risk, even if indirectly.

The program could have bugs. It could have errors or omissions that, in turn, could be leveraged by other, malicious software. It could “leak” our information unintentionally in ways third parties can intercept and collect.

Again, none of these risks are included purposefully, but rather as a side effect of oversight, poor design, poor coding or other unintentional accidents.

A great example might be Adobe Flash. It’s not malicious. It’s not intentionally allowing malware on our computers, or intentionally exposing our information to others. But it has so many bugs, errors, and vulnerabilities that its mere presence on your machine – particularly if not updated regularly – increases the risk of other software leveraging those issues to do harm.

All software has bugs. Thus, all software comes with some risk that those bugs, once discovered, could be used by others for unintended actions.

Once again, it all comes back to trust

You and I can’t be expected to understand all the details and nuances of software design and marketing. It’s too complex and ever-changing.

Instead, we rely on third parties. Or, more correctly, we rely on our trust of third parties to either do or provide the right thing, or act as a resource to let us know when the right thing isn’t happening.

This is why I so strongly warn against using download sites. The third parties involved – the download sites themselves – have a poor track record of providing software that can be trusted. Instead, I recommend you take the effort to locate the original vendor of whatever software you’re looking for and download directly from the source.

Assuming, of course, you trust them.

I discuss ways of developing and evaluating trust in What Does It Mean for a Source to be “Reputable”? The advice there applies equally here. When it comes to the software you install on your machine – any software – you must weigh the benefits against the risks, and take care to make sure you trust the source.

Rule of thumb: don’t install what you don’t need

The most secure software of all is the software that isn’t on your machine. If it’s not there, it can’t harm you.

I’m sure you know someone who constantly downloads and installs software on their machine. Be it a bevy of anti-malware tools, to the latest games, to who-knows-what, their machine eventually becomes unstable – or worse, their online accounts get hacked as a result of malware that accompanied all those downloads…

…all for things they probably didn’t really need.

Don’t be that person.

Think carefully before installing any software on your computer or other device. Even the most trustworthy and reputable software comes with side effects of some sort, and in the worst case, as we’ve seen, there’s a risk of more malicious intent as well.

Make sure you need it. Make sure you trust the author. Make sure you get it from a source you trust.

And when in doubt, don’t install it. You’re safer that way.

Is anything safe?

All this sounds pretty daunting and perhaps even a little overwhelming. You might be wondering if anything’s ever safe.

The good news is that, for the most part, the software you need, from reputable sources, is generally not malicious, and generally well behaved. There are bad actors out there, of course, but keeping these basic rules of thumb in mind will generally allow you to be safe.

Only install what you need.

Install only reputable software from well-known sources.

Download only from the vendor’s own download site or instructions.

If you’re at all concerned about security and privacy – and you should be – it’s important to be aware and keep these rules in mind.

You’ll have a much safer and more confident experience.

Podcast audio

Related Posts

I Canceled a Suspicious Download. Am I Safe? - Cancelling a suspicious download in progress typically prevents any part of the download from impacting your machine. Unfortunately there are still a few problems we should look out for.

Do Gmail Preview Images Pose a Security Risk? - Gmail occasionally includes preview images of attachments that are included with an email. Rather than being an additional risk, when present, these preview images can help keep you safer.

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and after "retiring" in 2001 I started Ask Leo! in 2003 as a place to help you find answers and become more confident using this amazing technology at our fingertips. More about Leo.

I rely on people I trust like yourself, Bob Rankin, and a few others to recommend software that might be of use to me. I very rarely just search for software on the internet, precisely because of the potential problems that you identify. And I also accept that very occasionally even you might recommend something problematic – but that hasn’t happened yet, probably because of the care that you take before recommending anything!!

Commenting has been terminated on the older format articles which are on ask-leo.com. That is due to the way comments are being handled through Word Press which doesn’t support comments from the older articles. Gradually, relevant articles are being converted to the new format and comments are being reopened for those articles.

The enjoyment I get from having a PC, is downloading and trying out all sorts of new (to me) programs. I always have up-to-date backups. I think Leo may have mentioned backups a couple times. 😉
Sometimes, at the senior center, someone will ask me questions I can’t answer right away, so I make notes, go home and try the program they had questions about, and come back with answers. I keep two Windows machines, because most of the people in class use Windows.
My point is, being careful is great, but being afraid to install anything detracts from your ability to use your PC and the internet.
I know that’s not what Leo is saying, but I also know that that is how some of the people in class will take it. …And, of course, most people in class read AskLeo regularly. 🙂

Leave a reply:

Before commenting please:

Read the article.

Comment on the article.

No personal information.

No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.